OIDC IDP Provider Setup
Overview
Use this guide to configure both Multi-Tenant and Single-Tenant OIDC providers for SSO to the Atria platform. Multiple provider types can be configured per customer, allowing you to support different identity requirements within the same hierarchy. You can also set a new default provider to replace the traditional AD username/password authentication path for that scope.
Before You Start
Use this section to collect the exact provider values needed for a successful first-time setup. Having these inputs prepared in advance reduces save-time validation errors and callback failures during testing.
From your IdP admin console, collect:
- Well-known URL (for example, for a Multi-Tenant Microsoft Configuration
https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration) - Client ID and Client Secret
- Registered redirect URIs:
https://{AtriaWeb}}/oidc/callbackhttps://{AtriaWeb}/oidc/link/callback
Decide upfront:
- Provider display name and optional icon URL
- Claim used for auto-linking (for example
emailorupn) - Atria user property used for matching
Provider Type Setup
Use the tabs below to apply the correct configuration model for your tenant design. The only intended difference is scope and issuer behavior, while the core provider fields remain the same.
- Single-Tenant
- Multi-Tenant
- Go to
Customer > Identity Provider Configurations. - Click Add.
- Set Access Level to
Current Customer. - Enable Default only if this customer should always use this provider.
- Enter Display Name, Client ID, Client Secret, and Well-known Endpoint.
- Wait for well-known validation (cloud checkmark) and select scopes.
- Optional: enable auto-linking and set
OIDC Claim+User Property. - Save the provider.
Issuer guidance:
- Prefer Exact mode for single-tenant issuers.
- Use Regex only when issuer format requires pattern matching.
- Go to
Customer > Identity Provider Configurations. - Click Add.
- Set Access Level to
Current and All Sub-Customers. - Optional: enable Default to enforce this provider for that scope.
- Enter Display Name, Client ID, Client Secret, and Well-known Endpoint.
- Wait for well-known validation (cloud checkmark) and select scopes.
- Optional: enable auto-linking and set
OIDC Claim+User Property. - Save the provider.
Issuer guidance:
- Prefer Regex mode for multi-tenant issuers.
- Example:
^https://login\.microsoftonline\.com/[^/]+/v2\.0$ - Keep regex strict (avoid broad wildcards).
Authentication Provider Settings Reference
This reference explains what each setting controls in the provider editor. Use it to align IdP configuration values with their runtime behavior in Atria login.
Definitions of Properties
| Setting | Purpose |
|---|---|
Display Name | Name shown on the login screen. Must be unique per customer scope. |
Wellknown Endpoint | OIDC discovery endpoint used to fetch endpoints/scopes/claims. Must be HTTPS and reachable. |
Client Id | OIDC client identifier from your IdP app registration. |
Client Secret | Secret used when exchanging authorization codes for tokens; stored securely. |
Icon | Publicly accessible URL for login button icon. |
Default | Enforces this authentication method for all login attempts for users of that IdP type; other providers are effectively blocked for that scope. See warning below. |
Access Level | Controls exposure: Current Customer or Current and All Sub-Customers. |
OIDC Claims | Claim used for auto-linking (for example email, upn). |
User Properties | Atria user field mapped to the selected OIDC claim. |
Scopes | Requested scopes used for token retrieval and claim availability (openid plus optional scopes). |
Issuer Validation Mode | Exact requires exact issuer match; Regex allows multi-tenant pattern matching. |
Issuer | Required when mode is Exact. Pre-filled from discovery where available. |
Issuer Regex Pattern | Required when mode is Regex; full-string matching is enforced. |
Enable Auto Linking | Allows sign-in without manual account linking by mapping claim to user property. |
If this provider is set as Default and the OIDC connection fails or is misconfigured, users for that scope may be unable to log in to the portal and support intervention will be required.
If this occurs, contact Atria Support: Contact Support
Validation and UI Messages
These are the most common validation and save-time messages shown in the provider editor. Use them to identify whether an issue is input formatting, provider metadata, or required-field enforcement.
| Message | Meaning / Action |
|---|---|
A provider with the specified name already exists. | Choose a unique Display Name. |
Failed to save the provider. | Save operation failed; check configuration and retry. |
Unable to save. The wellknown endpoint failed to load data | Discovery endpoint failed validation or retrieval. |
The wellknown endpoint must use HTTPS. | Update endpoint to https://.... |
A client secret is required for providers that support the authorization code flow. | Provide Client Secret before save. |
Issuer is required when issuer validation mode is Exact. | Populate Issuer. |
Issuer regex pattern is required when issuer validation mode is Regex. | Populate regex pattern. |
Issuer regex pattern is invalid. | Fix regex syntax. |
Select an OIDC claim to enable auto-linking. | Choose an OIDC Claim when auto-linking is enabled. |
Select a user property to enable auto-linking. | Choose a User Property when auto-linking is enabled. |
This provider does not advertise supported claims... | Enter claim manually (for example email, upn). |
Validate the Setup
Use this validation sequence to confirm the provider is visible, routable, and authenticating correctly for the intended scope. This is the minimum go-live check before enabling broad user access.
- Open login with a known customer user.
- Confirm provider visibility aligns with configured
Access Level. - If provider is default, confirm automatic redirect behavior.
- Complete sign-in and verify first login links subject to user.
Related Pages
Use the following pages for operational management and incident handling after initial setup.